Create configuration items for Windows 10 devices

In this article

Use the Configuration Manager Windows 10 configuration item to manage settings for Windows 10 computers that are managed by the Configuration Manager client.

Important

In this release, if you created a Password setting as part of a configuration item of the type Windows 10 (for a device managed with the Configuration Manager client), be aware of the following problem. If the setting doesn't already exist, or hasn't been configured on the Windows 10 device, it will incorrectly evaluate as compliant.

As a workaround, when you create a setting for these devices, ensure that Remediate noncompliant settings is selected on the settings pages of the Create Configuration Item wizard. In addition, when you deploy a configuration baseline containing a Windows 10 configuration item containing password settings, select Remediate noncompliant rules when supported. You make this selection in the Deploy Configuration Baselines dialog box. By using this workaround, the setting is monitored, and remediated if it's found to be noncompliant. After remediation, the setting is correctly reported as Compliant (unless a problem is encountered, in which case it will report Error).

To create a Windows 10 configuration item

In the Configuration Manager console, select Assets and Compliance.

In the Assets and Compliance workspace, expand Compliance Settings, and then select Configuration Items.

On the Home tab, in the Create group, select Create Configuration Item.

On the General page of the Create Configuration Item wizard, specify a name and optional description for the configuration item.

Under Specify the type of configuration item that you want to create, select Windows 10.

If you create and assign categories to help you search and filter configuration items in the Configuration Manager console, select Categories.

On the Supported Platforms page of the wizard, select the specific Windows 10 platforms that will evaluate the configuration item.

Critical with event: Devices that fail this compliance rule report a failure severity of Critical for Configuration Manager reports. This severity level is also logged as a Windows event in the application event log.

On the Platform Applicability page of the wizard, review any settings that aren't compatible with the supported platforms you selected earlier. You can go back and remove these settings, or you can continue.

Tip

Unsupported settings are not assessed for compliance.

Complete the wizard.

You can view the new configuration item in the Configuration Items node of the Assets and Compliance workspace.

Windows 10 configuration item settings reference

Password

Setting

Details

Require password settings on devices

Requires a password on supported devices.

Minimum password length (characters)

The minimum length in characters for the password.

Password expiration in days

The number of days before the password must be changed.

Number of passwords remembered

Prevents reusing previous passwords.

Number of failed logon attempts before a device is wiped

Wipes the device if sign-in fails this number of times.

Idle time before device is locked

Specifies how many minutes the device must be inactive before it's automatically locked.

Password complexity

Choose whether you can specify a PIN such as '1234', or whether you must supply a strong password.

Number of complex character sets required in password

If you selected a Strong password, use this setting to configure the number of complex character sets required. For a strong password, this setting should be set to at least 3, which means both letters and numbers are required. Select 4 if you want to enforce a password that additionally requires special characters, such as (%$.(Windows 10 only)

Device

Setting name

Details

Bluetooth

Allows use of the Bluetooth feature on the device.

Cloud

Setting name

Details

Settings synchronization

Allows synchronization of settings between devices.

Credentials synchronization

Allows synchronization of credentials between devices.

Settings synchronization over metered connections

Allows settings to be synchronized when the internet connection is metered.

Roaming

Setting name

Details

Data roaming

Allows roaming between networks when accessing data.

Encryption

Setting name

Details

File encryption on device

Requires that files on the device are encrypted.

System security

Setting name

Details

User Account Control

Configures how Windows User Account Control works on the device.For example, you can disable it, or set the level at which it notifies you.

Network firewall

Enables or disables Windows Firewall.

SmartScreen

Enables or disables Windows SmartScreen.

Virus protection

Requires that antivirus software must be installed and configured.

Virus protection signatures are up to date

Requires that the signature files for the antivirus software on the device must be up to date.

Windows Information Protection

With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leaks through apps and services, like email, social media, and the public cloud. These are outside of the organization's control. Examples include when an employee:

Sends the latest engineering pictures from their personal email account.